From d3e395b71dbb5de6da9acbab8a23f0e5ae5d0a02 Mon Sep 17 00:00:00 2001 From: Niten Date: Wed, 17 Mar 2021 19:45:40 +0000 Subject: [PATCH] Arg, fucking port forwarding is shit --- config/domains/rus.selby.ca.nix | 2 +- config/hosts.nix | 10 +++ config/hosts/plato.nix | 2 + config/profiles/common.nix | 5 +- initialize.nix | 1 - lib/default.nix | 1 + lib/fudo/common.nix | 64 +--------------- lib/fudo/global.nix | 5 ++ lib/fudo/hosts.nix | 61 +++++++++++++--- lib/fudo/kdc.nix | 13 ++-- lib/fudo/system.nix | 125 ++++++++++++++++++++------------ nixops/lib/hosts.nix | 1 + 12 files changed, 163 insertions(+), 127 deletions(-) create mode 100644 lib/fudo/global.nix diff --git a/config/domains/rus.selby.ca.nix b/config/domains/rus.selby.ca.nix index 3c2a8b4..865d469 100644 --- a/config/domains/rus.selby.ca.nix +++ b/config/domains/rus.selby.ca.nix @@ -2,4 +2,4 @@ { -} \ No newline at end of file +} diff --git a/config/hosts.nix b/config/hosts.nix index 3bc38b6..a22b9f3 100644 --- a/config/hosts.nix +++ b/config/hosts.nix @@ -26,6 +26,8 @@ domain = "rus.selby.ca"; site = "russell"; profile = "server"; + ssh-pubkey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB07Jf/NB4OlFSEI/eLJlNLA2sM9cHw1hX43r43nQ7a5"; }; downstairs-desktop = { @@ -43,6 +45,8 @@ domain = "rus.selby.ca"; site = "russell"; profile = "desktop"; + ssh-pubkey = + "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPqyDT/JqTxWZbpOXzy1Sxba2z2hNzt2BqjLspPvJLVc9zks1GMlnKAY5Nb7y7oi+CzeZMU+KAa069wZ/mYvpas="; }; france = { @@ -59,6 +63,8 @@ domain = "fudo.org"; site = "portage"; profile = "server"; + ssh-pubkey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1COad5NSK3mi66WK5uWf79NLMf5rk350kvJGsEdDmn"; }; google-wifi = { @@ -96,6 +102,8 @@ domain = "sea.fudo.org"; site = "seattle"; profile = "server"; + ssh-pubkey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHT8Uf6m8ZrSn4nmPyIO+JWLbgXJGX4jJTk0wfqDzzjb"; }; plato = { @@ -111,6 +119,8 @@ domain = "rus.selby.ca"; site = "russell"; profile = "server"; + ssh-pubkey = + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGuClWAtkOMBOVFAFFdWosCT8NvuJBps46P4RV+Qqz4b"; }; procul = { diff --git a/config/hosts/plato.nix b/config/hosts/plato.nix index 332d62b..6db97c7 100644 --- a/config/hosts/plato.nix +++ b/config/hosts/plato.nix @@ -27,6 +27,8 @@ with lib; { "L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa" "L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub" "L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts" + "L /etc/ssh/ssh_host_ed25519_key - - - - /state/ssh/ssh_host_ed25519_key" + "L /etc/ssh/ssh_host_rsa_key - - - - /state/ssh/ssh_host_rsa_key" ]; services = { diff --git a/config/profiles/common.nix b/config/profiles/common.nix index 9a3dc80..6884976 100644 --- a/config/profiles/common.nix +++ b/config/profiles/common.nix @@ -59,7 +59,10 @@ in { }; }; - fail2ban.enable = true; + fail2ban = { + enable = true; + bantime-increment.enable = true; + }; xserver = { layout = "us"; diff --git a/initialize.nix b/initialize.nix index 4546557..8b3061b 100644 --- a/initialize.nix +++ b/initialize.nix @@ -20,7 +20,6 @@ fudo.hosts."${hostname}" = { domain = domain; - hostname = hostname; site = site; profile = profile; }; diff --git a/lib/default.nix b/lib/default.nix index 50bf886..3bfc890 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -16,6 +16,7 @@ with lib; { ./fudo/domains.nix ./fudo/garbage-collector.nix ./fudo/git.nix + ./fudo/global.nix ./fudo/grafana.nix ./fudo/hosts.nix ./fudo/ipfs.nix diff --git a/lib/fudo/common.nix b/lib/fudo/common.nix index 98220d9..92b7bb7 100644 --- a/lib/fudo/common.nix +++ b/lib/fudo/common.nix @@ -1,65 +1,5 @@ # General Fudo config, shared across packages { config, lib, pkgs, ... }: -with lib; { - options.fudo.common = { - - hostname = mkOption { - type = types.str; - description = '' - Hostname of the local host (without domain). - ''; - }; - - # domain = mkOption { - # type = types.str; - # description = '' - # Domain of the local network. - # ''; - # }; - - # local-networks = mkOption { - # type = with types; listOf str; - # description = '' - # A list of networks to consider 'local'. Used by various services to - # limit access to the external world. - # ''; - # default = [ ]; - # }; - - # profile = mkOption { - # type = with types; nullOr str; - # example = "desktop"; - # description = '' - # The profile to use for this host. This will do some profile-dependent - # configuration, for example removing X-libs from servers and adding UI - # packages to desktops. - # ''; - # default = null; - # }; - - # site = mkOption { - # type = with types; nullOr str; - # example = "seattle"; - # description = '' - # The site at which this host is located. This will do some site-dependent - # configuration. - # ''; - # default = null; - # }; - - # www-root = mkOption { - # type = types.path; - # description = "Path at which to store www files for serving."; - # example = /var/www; - # }; - - # admin-email = mkOption { - # type = types.str; - # description = "Email for administrator of this system."; - # default = "admin@fudo.org"; - # }; - - # enable-gui = mkEnableOption "Install desktop GUI software."; - }; -} +with lib; +{ } diff --git a/lib/fudo/global.nix b/lib/fudo/global.nix new file mode 100644 index 0000000..f8e497b --- /dev/null +++ b/lib/fudo/global.nix @@ -0,0 +1,5 @@ +{ config, lib, pkgs, ... }: + +with lib; { + config = { }; +} diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix index 3b6d544..b3ca95e 100644 --- a/lib/fudo/hosts.nix +++ b/lib/fudo/hosts.nix @@ -4,21 +4,28 @@ with lib; let hostOpts = { hostname, ... }: { options = with types; { - hostname = mkOption { - type = types.str; - description = "Hostname (without domain name)."; - default = hostname; - }; - domain = mkOption { - type = types.str; + type = str; description = - "Domain to which the host belongs, in the form of a domain name."; + "Primary domain to which the host belongs, in the form of a domain name."; default = "fudo.org"; }; + extra-domains = mkOption { + type = listOf str; + description = "Extra domain in which this host is reachable."; + default = [ ]; + }; + + aliases = mkOption { + type = listOf str; + description = + "Host aliases used by the current host. Note this will be multiplied with extra-domains."; + default = [ ]; + }; + site = mkOption { - type = types.str; + type = str; description = "Site at which the host is located."; }; @@ -50,7 +57,7 @@ let }; description = mkOption { - type = types.str; + type = str; description = "Description of this host."; default = "Another Fudo Host."; }; @@ -92,6 +99,13 @@ let "List of services which should exist for this host, if it belongs to a realm."; default = [ "ssh" "host" ]; }; + + ssh-pubkey = mkOption { + type = nullOr str; + description = + "SSH key of the host. Find with `ssh-keyscan`. Skip the hostname, just type and key."; + default = null; + }; }; }; @@ -136,5 +150,32 @@ in { enableOnBoot = true; autoPrune.enable = true; }; + + programs.ssh.knownHosts = let + keyed-hosts = + filterAttrs (host: opts: opts.ssh-pubkey != null) config.fudo.hosts; + + traceOut = obj: builtins.trace obj obj; + + crossProduct = f: list0: list1: + concatMap (el0: map (el1: f el0 el1) list1) list0; + + getHostnames = hostOpts: + [ hostOpts.hostname ] + ++ (crossProduct (host: domain: "${host}.${domain}") + ([ hostOpts.hostname ] ++ hostOpts.aliases) + ([ hostOpts.domain ] ++ hostOpts.extra-domains)); + + getHostEntryPairs = host: + map (hostname: nameValuePair hostname { publicKey = host.ssh-pubkey; }) + (getHostnames host); + + hostAttrsToList = hostAttrs: + mapAttrsToList (hostname: opts: { hostname = hostname; } // opts) + hostAttrs; + + getKnownHosts = hosts: + concatMap getHostEntryPairs (hostAttrsToList hosts); + in listToAttrs (getKnownHosts keyed-hosts); }; } diff --git a/lib/fudo/kdc.nix b/lib/fudo/kdc.nix index a4a4ef4..76ab5e3 100644 --- a/lib/fudo/kdc.nix +++ b/lib/fudo/kdc.nix @@ -34,14 +34,13 @@ let ${pkgs.heimdalFull}/bin/kstash --key-file=${key-file} --random-key ${pkgs.heimdalFull}/bin/kadmin -l -c ${kdc-conf} -- init --realm-max-ticket-life="${max-lifetime}" --realm-max-renewable-life="${max-renewal}" RUS.SELBY.CA ${add-hosts-principals realm kdc-conf} - ${pkgs.heimdalFull}/bin/kadmin -l -c ${kdc-conf} -- add --random-key --use-defaults kadmin/${local-hostname}@${realm} ${pkgs.heimdalFull}/bin/kadmin -l -c ${kdc-conf} -- ext_keytab --keytab=${primary-keytab} */${local-hostname}@${realm} - ${pkgs.heimdalFull}/bin/kadmin -l -c ${kdc-conf} -- ext_keytab --keytab=${kadmin-keytab} kadmin/${local-hostname}@${realm} - ${pkgs.coreutils}/bin/chown ${user}:${group} ${key-file} - ${pkgs.coreutils}/bin/chown ${user}:${group} ${db-name} - ${pkgs.coreutils}/bin/chown ${user}:${group} ${iprop-log} - ${pkgs.coreutils}/bin/chown ${user}:${group} ${primary-keytab} - ${pkgs.coreutils}/bin/chown ${user}:${group} ${kadmin-keytab} + ${pkgs.heimdalFull}/bin/kadmin -l -c ${kdc-conf} -- ext_keytab --keytab=${kadmin-keytab} kadmin/admin@${realm} + #${pkgs.coreutils}/bin/chown ${user}:${group} ${key-file} + #${pkgs.coreutils}/bin/chown ${user}:${group} ${db-name} + #${pkgs.coreutils}/bin/chown ${user}:${group} ${iprop-log} + #${pkgs.coreutils}/bin/chown ${user}:${group} ${primary-keytab} + #${pkgs.coreutils}/bin/chown ${user}:${group} ${kadmin-keytab} fi ''; diff --git a/lib/fudo/system.nix b/lib/fudo/system.nix index 3acf379..f9cb7bb 100644 --- a/lib/fudo/system.nix +++ b/lib/fudo/system.nix @@ -435,53 +435,88 @@ in { }; config = { - # boot.kernel.sysctl = mkIf (cfg.internal-port-map != { }) { - # "net.ipv4.conf.all.route_localhost" = "1"; - # }; - - # networking.firewall = let - # ip-forward-line = protocols: internal: external: - # concatStringsSep "\n" (map (protocol: - # "${pkgs.iptables}/bin/iptables -t nat -I PREROUTING -p ${protocol} --dport ${ - # toString external - # } -j DNAT --to 127.0.0.1:${toString internal}") protocols); - - # ip-unforward-line = protocols: internal: external: - # concatStringsSep "\n" (map (protocol: - # "${pkgs.iptables}/bin/iptables -t nat -D PREROUTING -p ${protocol} --dport ${ - # toString external - # } -j DNAT --to 127.0.0.1:${toString internal} || true") protocols); - - # protocol-list = protocol: - # if (protocol == null) then [ "tcp" "udp" ] else [ protocol ]; - # in { - # extraCommands = concatStringsSep "\n" (mapAttrsToList (name: opts: - # ip-forward-line (protocol-list opts.protocol) opts.internal-port - # opts.external-port) cfg.internal-port-map); - - # extraStopCommands = concatStringsSep "\n" (mapAttrsToList (name: opts: - # ip-unforward-line (protocol-list opts.protocol) opts.internal-port - # opts.external-port) cfg.internal-port-map); - # }; - - services.xinetd = mkIf ((length (attrNames cfg.internal-port-map)) > 0) { - enable = true; - services = let - svcs = mapAttrsToList (name: opts: opts // { name = name; }) - cfg.internal-port-map; - svcs-protocols = concatMap - (svc: map (protocol: svc // { protocol = protocol; }) svc.protocols) - svcs; - in map (opts: { - name = opts.name; - unlisted = true; - port = opts.external-port; - server = "${pkgs.coreutils}/bin/false"; - extraConfig = "redirect = localhost ${toString opts.internal-port}"; - protocol = opts.protocol; - }) svcs-protocols; + boot.kernel.sysctl = mkIf (cfg.internal-port-map != { }) { + "net.ipv4.conf.all.route_localnet" = "1"; }; + networking.firewall = let + iptables = "ip46tables"; + ip-forward-line = protocols: internal: external: + concatStringsSep "\n" (map (protocol: '' + # ${iptables} -I PREROUTING -p ${protocol} --dport ${ + toString external + } -j REDIRECT --to-ports ${toString internal} + # ${iptables} -I OUTPUT -p ${protocol} -i lo --dport ${ + toString external + } -j REDIRECT --to-ports ${toString internal} + # ${iptables} -I OUTPUT -p ${protocol} -o lo --dport ${ + toString external + } -j REDIRECT --to-ports ${toString internal} + + # ${iptables} -t nat -I PREROUTING -p ${protocol} --dport ${ + toString external + } -j REDIRECT --to-ports ${toString internal} + # ${iptables} -t nat -I OUTPUT -p ${protocol} -i lo --dport ${ + toString external + } -j REDIRECT --to-ports 127.0.0.1:${toString internal} + # ${iptables} -t nat -I OUTPUT -p ${protocol} -o lo --dport ${ + toString external + } -j REDIRECT --to-ports ${toString internal} + '') protocols); + + ip-unforward-line = protocols: internal: external: + concatStringsSep "\n" (map (protocol: '' + # ${iptables} -D PREROUTING -p ${protocol} --dport ${ + toString external + } -j REDIRECT --to-ports ${toString internal} + # ${iptables} -D OUTPUT -p ${protocol} -i lo --dport ${ + toString external + } -j REDIRECT --to-ports ${toString internal} + # ${iptables} -D OUTPUT -p ${protocol} -o lo --dport ${ + toString external + } -j REDIRECT --to-ports ${toString internal} + + + # ${iptables} -t nat -D PREROUTING -p ${protocol} --dport ${ + toString external + } -j REDIRECT --to-ports ${toString internal} + # ${iptables} -t nat -D OUTPUT -p ${protocol} -i lo --dport ${ + toString external + } -j REDIRECT --to-ports 127.0.0.1:${toString internal} + # ${iptables} -t nat -D OUTPUT -p ${protocol} -o lo --dport ${ + toString external + } -j REDIRECT --to-ports ${toString internal} + '') protocols); + in { + enable = true; + + extraCommands = concatStringsSep "\n" (mapAttrsToList (name: opts: + ip-forward-line opts.protocols opts.internal-port opts.external-port) + cfg.internal-port-map); + + extraStopCommands = concatStringsSep "\n" (mapAttrsToList (name: opts: + ip-unforward-line opts.protocols opts.internal-port opts.external-port) + cfg.internal-port-map); + }; + + # Services.xinetd = mkIf ((length (attrNames cfg.internal-port-map)) > 0) { + # enable = true; + # services = let + # svcs = mapAttrsToList (name: opts: opts // { name = name; }) + # cfg.internal-port-map; + # svcs-protocols = concatMap + # (svc: map (protocol: svc // { protocol = protocol; }) svc.protocols) + # svcs; + # in map (opts: { + # name = opts.name; + # unlisted = true; + # port = opts.external-port; + # server = "${pkgs.coreutils}/bin/false"; + # extraConfig = "redirect = localhost ${toString opts.internal-port}"; + # protocol = opts.protocol; + # }) svcs-protocols; + # }; + systemd.timers = mapAttrs (name: opts: { enable = true; description = opts.description; diff --git a/nixops/lib/hosts.nix b/nixops/lib/hosts.nix index 94a2791..6e50ab5 100644 --- a/nixops/lib/hosts.nix +++ b/nixops/lib/hosts.nix @@ -13,6 +13,7 @@ let initialize = import ../../initialize.nix; + # This is a problem...it creates a second source of truth. host-config = ip: config: { ... }: { imports = [